Fw: Hybris worm

[Philippe Bourcier <philippe () CYBERABUSE ORG>]

I forward this message I received after my 1st post to the list about Hybris
because I also recently seen those trojan mails with an empty "from:".

Philippe Bourcier
-------------------------------------
www.documents.cyberabuse.org

> We have had quite a large problem with Hybris here (in Greece). It was at
> first sending itself to recipients using an email address of
> hahaha () sexyfun net, however recently it has started using an empty "mail
> from:". (You can read more about this on page 15 of RFC 821, and in the
> "SMTP REQUIREMENTS" section of RFC 1123").
>
> Note that an empty mail from is a feature of the SMTP protocol that is
> REQUIRED for most mail servers.
>
> Having a blank mail from: basically means it cannot be filtered by the use
> of access_db or its equivelent in other mailers (I'm using Sendmail). You
> can however block it by modifying sendmail.cf. Although, the only mail
> servers on which it seems acceptable to deny an empty mail from: are those
> which do not act as an MX for a domain, and therefore will never receive
any
> notification messages from SMTP daemons.
>
> Reading the relevant sections of the above mentioned RFC's should clear up
> any confusion about this subject. :)

A Greek administrator (who wanted to remain unknown)